====== Ubuntu - PAM - pam_passwdqc ======

**libpam_ passwdqc** is a PAM module that tests passwords to make sure they are not too weak during password change.

It adds additional password entropy assistance to the standard security system.

<WRAP info>
The **cracklib** module doesn't enforce password strength checking on the "root".

To enforce password checking for all accounts including the root user the passwdqc PAM module can be used instead of cracklib module.
</WRAP>

----

===== Create the PAM configuration file for passwdqc =====

Create a PAM configuration file for passwdqc by issuing the following command:

<code bash>
sudo vi /usr/share/pam-configs/passwdqc
</code>

and populate it with the following:

<file bash /usr/share/pam-configs/passwdqc>
Name: passwdqc password strength checking
Default: yes
Priority: 1024
Conflicts: cracklib [maybe?]
Password-Type: Primary
Password:
  requisite pam_passwdqc.so min=disabled,10,8,8,8 similar=deny enforce=users ask_oldauthtok check_oldauthtok
</file>

Now issue the command:

<code bash>
sudo pam-auth-update
</code>

and ensure that the passwdqc password strength checking is enabled.

<WRAP warning>
**WARNING**: Enabling the PAM passwdqc module will disable the PAM **cracklib** module. 
</WRAP>

----

===== Set the password strength policy =====

Issue the following command:

<code bash>
sudo vi /etc/pam.d/common-password
</code>

and populate it with the following:

<file bash /etc/pam.d/common-password>
password   requisite pam_passwdqc.so min=disabled,10,8,8,8 max=40 similar=deny enforce=users ask_oldauthtok check_oldauthtok
password   [success=1 default=ignore]   pam_unix.so obscure use_authtok try_first_pass sha512

# here's the fallback if no module succeeds
password   requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password   required   pam_permit.so
</file>


By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks.  These values are controlled in the file /etc/pam.d/common-password.

The **pam_passwdqc** manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 10 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively.  The above also enforces no passwords longer than 40 characters.  The other options are clearly outlined in the pam_passwdqc man pages.

Each option can be customized to suit your environment.  The above is actually less strict than the recommended default setting of "min=disabled,24,12,8,7" which can create some extremely difficult-to-crack passwords.

pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.

The hashed passwords use a randomly generated salt.

----

===== Examples =====

<code bash>
password    requisite     pam_passwdqc.so min=disabled,12,8,6,5 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
</code>